ICANN gives domain souks permission to tell it the answer to Whois privacy law debacle Internet overlord ICANN has hit on an ingenious solution to the impending collision of the domain name system's Whois service and incoming European privacy legislation: let everyone else figure it out. Following a week of testy meetings in which domain registries and registrars complained they face business-destroying fines if …
Generally speaking, law overrides contract terms. If the ICANN contract requires the other party to do something illegal then surely that clause would be unenforceable.
Now let's think about the more complicated aspects: if an EU citizen registers a domain with a non-EU registrar is that registrar obliged to follow EU legislation? If so how does the EU bring the registrar to account if it has no EU residency and how does the registrar discover that citizenship of the registrant?
Not generally speaking - always (I can't think of a single situation where it doesn't) and in fact one of the explicit requirements for processing personal data in GDPR is that it must be "lawful" - in this situation it would not be lawful and thus the contract terms would be considered void.
"Generally speaking, law overrides contract terms. If the ICANN contract requires the other party to do something illegal then surely that clause would be unenforceable."
They can easily make it legal. It all boils down to consent. So what would be easier than to add a checkbox in the domain registration process: "I give consent to add my details to the ICANN database". Problem solved.
I don't have an opinion of good or bad here, but seriously: this law isn't going to change anything because it's so horribly easily diverted. Our tax dollars hard at work indeed.
"So what would be easier than to add a checkbox in the domain registration process"
It would be very easy, however the issue is that people would opt out when purchasing domains within Europe, which isn't the desired outcome for the vested interests who don't want to change the status quo.
The dutch have got it right, they have simply informed ICANN that the terms are invalid under EU law and have made the appropriate change, the problem has now been solved in the Netherlands.
One of the nice things about GDPR (from the viewpoint of a person, not the data-holding corporation), is that data holding must not be opt-out, it must be opt-in. Shell..user had it correct: there must be permission explicitly given, and if it is not explicitly given then it is implicitly denied.
Even systems which already hold data do not seem to be exempt - the data controllers are meant to come back and ask for permission anew.
It all boils down to consent. So what would be easier than to add a checkbox in the domain registration process: "I give consent to add my details to the ICANN database"
Firstly, you can't pre-tick the checkbox. Secondly, you can't refuse the service if the checkox isn't ticked. So, although consent would allow the user details to be published, ICANN can't assume that it will be given and that they can enforce that term.
It's slightly misleading. A company can refuse to do business for any reason it wants as long as that refusal isn't illegal, i.e. the trader is racist and does not want to sell to anyone that is black.
The issue here is that the law says that data must only be kept for the legal minimums, and additionally for a reason which must be stipulated via a policy explained up front. The policy will usually say that data is used for marketing. Now if upon reading the policy the customer has concerns, for example his name and email address will be shared with 3rd parties for advertising purposes, he can choose to opt out, and can choose to take his business elsewhere. Also the trader can legally refuse to do business and let the customer go elsewhere.
At this point the customer could send the written policy to the ICO showing them that the company intends to, or is using data in an unreasonable way. The ICO would then investigate. If the ICO investigated and found that the company has indeed been using data in an unreasonable way, they would then prosecute. Or if they investigated and found that the data actually wasn't being used unreasonably then the trader has done nothing wrong.
Where people get confused is in the middle ground, where either companies have existing data they are misusing, or they acquire new data without consent, or they use data in a way that contradicts the previous written policy, or they refuse to remove a customers data upon request. In these cases, the company could be breaking the law, but only an investigation could conclude that and the trader be prosecuted.
I'll quickly explain where the confusion arises. When written into law, there is a difference between the words "should" and "must".
If the law said "You should not ask for data that is not required to operate the service", then the trader still could ask for an opt-in. Legally speaking the word "should" is a suggestion.
If the law said "You must not ask for data that is not required to operate the service", then the simple act of asking for an opt-in would be illegal. The word "must" when appearing in a law means what is written is mandatory.
The law actually says that (and I simplify) "you should not ask for data that isn't required to operate the service, and you must not use that data it if you have it without consent."
It is this last example that has people thinking that you cannot refuse service if someone opts out. People are confusing the words should and must.
Nah you are confused - you are reading the wrong part of the Regulation. Consent definition is covered under Article 4.11:
"'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes...."
The key part of the sentence is "freely given" - it has been determined by legislators that this means it can not be a condition of access to a service because then there is an imbalance in the relationship given that if the data subject does not give consent they cannot engage in that service, which means when you put this into the wider context data subjects would literally be excluded from digital society if they wanted to maintain their Art.8 fundamental rights because literally 99.9999% of digital services would eventually simply block access to anyone who does not consent.
Under such circumstances it cannot be argued that consent is freely given and as such it was intended specifically during drafting and trialogue that such activities would be unlawful.
This is also not new - the issue of freely given consent goes all the way back to Convention 108 in 1980 and is actually the same level of protection provided for in 95/46/EC (the previous Data Protection Directive) the problem is 95/46/was secondary legislation and therefore implemented in different ways in different member states, GDPR is primary legislation and has no such wriggle room.
The new ePrivacy Regulation goes a step further in Recital 18 which states:
"Consent should not be considered as freely given if it is required to access any service or obtained through repetitive requests. In order to prevent such abusive requests, users should be able to order service providers to remember their choice not to consent and to adhere to technical specifications signaling not to consent, withdrawal of consent, or an objection."
So this also means that for example - if a data subject has denied consent (say through a Do Not Track signal) but a web site keeps showing those cookies banners over and over again - this would also not be considered as freely given consent.
For -most- digital services it is likely that the ePrivacy Regulation will be the relevant Regulation as opposed to GDPR when it comes to consent - GDPR is more likely to apply to services which are non-digital (there will of course be some exceptions).
This post has been deleted by its author
"Secondly, you can't refuse the service if the checkbox isn't ticked."
Why not? There's plenty of businesses where if you don't sign their contract they won't do business with you, what's different in this case?
From the ICO's site:
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.
I doubt refusing to provide the service if consent isn't given constitutes "freely". Also not "separate from other T&Cs" - again you can sign the contract but refuse consent. I think anyone trying to make consent a condition for providing a service will find themselves answering to the ICO or equivalent in other jurisdictions.
"The law also only affects European citizens so it is not necessary for, say, US citizens' details to be protected equally."
This is not correct - GDPR applies to anyone who is located in the EU (even US citizens who happen to be on vacation) - not just EU Citizens. Article 3, Recitals 22 & 23 make multiple references to Data Subjects "in the Union". You can literally be passing through for the day and you are covered under GDPR for that single day.
So for example, if an American happens to be on a trip to Berlin and registers a domain whilst they are there, they would be theoretically covered.
I was thinking along similar lines. Why not, when someone is registering a domain, have a clearly seen notice, notifying the person registering the domain of the following?
By continuing the domain name registration process, you implicitly agree to allowing your personal information such as name, address and phone number, to be publicly available to look up, in conjunction with your domain name. If you do not agree, you may cancel the domain registration. In addition, if at any point after registering, you change your mind and wish to make your information private, you may submit a domain cancellation and personal information purge request to your registrar. It may take up to 7 business days for information to be purged, to allow for propagation through the Internet backbone.
I am no lawyer, but I expect the incoming EU rules don't allow a privacy-breaking contract. I.e. you can ask if someone wants to allow something such as whois entry, but not prevent them from doing business if they demand their privacy is respected.
So probably EU-based registrars could have an opt-in tickbox, but if you opt out then they still have to manage your domain but with a private registry entry. Which is sensible, but probably against what ICANN's lobbyists want.
The registrar for my domain has a paid for service whereby they load the whois info with details on how to contact the registrar. My name and details are never exposed in the public whois database
I take it that if I'm a very naughty boy the powers that be would serve a warrant on said domain registrar to get that information. Now that might only be as complicated as a govt TLA going to the first floor bogs, ripping off a national security letter from the roll, wiping their arses with it and presenting that to said registrar. but hey; better than nothing right?
What I don't understand is, is that still falling foul of the GDPR? Or does that fall foul of the ICANN rules?
It is enforceable. ICANN are well within their rights to refuse European registrars the ability to register domains as a sanction for not following their rules. They won’t, because money, but contractually they can.
That is the predicament ICANN are in. Their contract stipulates the registrars must provide contact details of the owner. EU law now forbids that.
The only way for ICANN to get what they want is to refuse to allow EU registrars service, and register domains with the end user direct, I.e. European customers buy domains themselves from America. Come brexit I think this will all become moot once the government realise that a trade deal with the US would be hindered by the GDPR. Then it would be recinded by parliament.
"That is the predicament ICANN are in. Their contract stipulates the registrars must provide contact details of the owner. EU law now forbids that."
They have, as I understand it, a contract with the US authorities that stipulates they impose conditions on registrars. Those conditions, when imposed on EU customers contradict the new EU law. So they can impose the terms on the registrars as per their contract but as the terms are contrary to EU law. At the point where the contract chain hits EU law the term becomes unenforceable.
I can understand that the US authorities with their concepts of global jurisdiction might not like this. However, if they want to keep the Privacy Figleaf in place they need to think very, very carefully about the wisdom of trying to enforce their own contract with ICANN. A graceful way round it would be for them to revise the ICANN contract with words to the effect of "where allowed by local law" slotted in.
At some point the US does need to get off its high horse. Ultimately ICANN's only power is that it runs the root DNS. Would it really be impossible for the ROTW to get together, clone that root and regard the clone as authoritative? And if they did so the US would simply have to follow.
I own a number of domains in .com, .co.uk and .eu, and my registrar hides my personal contact information for all of them.
Indeed, my registrar's default position for all new domain registrations is to hide the owner's contact details, replacing them with a forwarding postal address and an email address which forwards to my private email but which changes every few days to foil spammers. They can harvest the address, but in ten days time, it will no longer be valid.
I think you will find that it is only "incomprehensible" (or more accurately "unconscionable" ) to large US corporations that want to hoover up all this information because of "money". But it is probably true that parts of the US population also couldn't give a shit - neither, it has to be said, do I.
I think you will find that it is only "incomprehensible" (or more accurately "unconscionable" ) to large US corporations that want to hoover up all this information because of "money".
"It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"
the solution is clear, its what Nominet (.uk registrar) have been doing for years, dont publish individuals details, except where they have explicitly requested it. Direct copy from my domain's whois entry-
Results returned from whois.nic.uk:
Domain name:
enss.uk
Registrant:
Peter Marquis
Registrant type:
UK Individual
Registrant's address:
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.
Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 20-Jun-2013
Registrar:
Easy Internet Solutions Ltd [Tag = EASY-INTERNET]
URL: https://www.freevirtualservers.com
Relevant dates:
Registered on: 31-Oct-2014
Expiry date: 31-Oct-2020
Last updated: 03-Oct-2017
Registration status:
Registered until expiry date.
Name servers:
ns1.afraid.org
ns2.afraid.org
ns3.afraid.org
ns4.afraid.org
WHOIS lookup made at 14:24:04 03-Nov-2017
The reason why ICANN do not want to change their contract is because if they do they will have to do it for the ENTIRE world. Registrars in countries outside of Europe are not going to be co-operative with ICANN if they are being treated differently to European Registrars - THIS is why ICANN has a problem. They want to continue to force public WHOIS for non-EU registrars.
Of course this is already doomed to failure and they know it (the public WHOIS system globally will die in May 2018 or shortly after) but they are (as usual) behaving like a petulant teenager screaming that white is blue and stamping their feet until eventually they will be forced to comply - at which point they will go sulk for a while and then come back with the attitude that it was always supposed to be this way and they have no idea why everyone is making such a fuss; that it was not their idea to have a public WHOIS in the first place and they always opposed it...
Except for certain TLDs such as .us, every registrar I know of offers privacy at extra cost. This works by providing a special contact cod3 that can be used by law enforcement with proper court papers to identify the real person. So worst case, it seems to me that this system could be made free, with or without default. Why is this insufficient?
jira.domain.com, now offers something.jira.domain.com The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
